SIPHON: Towards Scalable High-Interaction Physical Honeypots
Title | SIPHON: Towards Scalable High-Interaction Physical Honeypots |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Guarnizo, Juan David, Tambe, Amit, Bhunia, Suman Sankar, Ochoa, Martin, Tippenhauer, Nils Ole, Shabtai, Asaf, Elovici, Yuval |
Conference Name | Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security |
Date Published | April 2017 |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-4956-7 |
Keywords | Collaboration, composability, high-interaction honeypot, honey pots, Human Behavior, Internet of Things, Internet-scale Computing Security, low-interaction honeypot, Metrics, Policy-Governed Secure Collaboration, pubcrawl, resilience, Resiliency, Scalability |
Abstract | In recent years, the emerging Internet-of-Things (IoT) has led to rising concerns about the security of networked embedded devices. In this work, we propose the SIPHON architecture--a Scalable high-Interaction Honeypot platform for IoT devices. Our architecture leverages IoT devices that are physically at one location and are connected to the Internet through so-called $\backslash$emph\wormholes\ distributed around the world. The resulting architecture allows exposing few physical devices over a large number of geographically distributed IP addresses. We demonstrate the proposed architecture in a large scale experiment with 39 wormhole instances in 16 cities in 9 countries. Based on this setup, five physical IP cameras, one NVR and one IP printer are presented as 85 real IoT devices on the Internet, attracting a daily traffic of 700MB for a period of two months. A preliminary analysis of the collected traffic indicates that devices in some cities attracted significantly more traffic than others (ranging from 600 000 incoming TCP connections for the most popular destination to less than 50 000 for the least popular). We recorded over 400 brute-force login attempts to the web-interface of our devices using a total of 1826 distinct credentials, from which 11 attempts were successful. Moreover, we noted login attempts to Telnet and SSH ports some of which used credentials found in the recently disclosed Mirai malware. |
URL | https://dl.acm.org/doi/10.1145/3055186.3055192 |
DOI | 10.1145/3055186.3055192 |
Citation Key | guarnizo_siphon:_2017 |